Industry Comments on HHS Breach Rule

[Jake Kouns <jkouns () opensecurityfoundation org>]

Industry Comments on HHS Breach Rule
http://www.information-management.com/news/data_breach_security-10016802-1.html

Following the Department of Health and Human Services' issuance of an
interim final rule governing notification of breaches of protected
health information, industry representatives and members of Congress
submitted letters of comment to HHS Secretary Kathleen Sebelius.
Here's a sampling of comments.
House Reps. Oppose Breach Rule

Six leaders of the House Ways and Means and Energy and Commerce
Committees - five Democrats and one Republican - sent the following
letter to Secretary Sebelius:

"We are deeply concerned about the high bar that the Department of
Health and Human Services has set for notification of individuals in
the case of an unauthorized use or disclosure of personal health
information in its Aug. 24, 2009, interim final regulations on Breach
Notification for Unsecured Protected Health Information promulgated
pursuant to the American Recovery and Reinvestment Act of 2009. This
is not consistent with Congressional intent.

"ARRA included provisions promoting health information technology as a
foundation for quality and efficiency improvements in the U.S. health
care system. However, these benefits can be fully realized only with
the inclusion of strong safeguards that protect the privacy and
security of individuals' personal health information. To gain the
public trust, it is imperative that there is effective implementation
of those provisions by HHS.

"Section 13402 of ARRA requires health care entities to notify
individuals if there is an 'unauthorized acquisition, access, use, or
disclosure of protected health information which compromises the
security or privacy of such information.' In its interim final rule,
HHS interpreted the term 'compromises' to include a substantial harm
standard. If the breaching entity decides there is no significant risk
of financial, reputational or other harm to the individual, that
provider or health insurer never has to notify their patients that
their sensitive health information was used or disclosed in violation
of the federal privacy rule.

"ARRA's statutory language does not imply a harm standard. In drafting
Section 13402, Committee members specifically considered and rejected
such a standard due to concerns over the breadth of discretion that
would be given to breaching entities, particularly with regard to
determining something as subjective as harm from the release of
sensitive and personal health information.

"In fact, during development towards final policy, the Committee on
Energy and Commerce released a discussion draft of health information
technology and privacy legislation in May of 2008. In that draft, in
addition to a definition of breach similar to that used here, the
language specifically included a harm standard that was later
rejected. The discussion draft only required patients to be notified
if the unauthorized use of personal health information could
'reasonably result in substantial harm, embarrassment, inconvenience
or unfairness to the individual.'

"Members considered the comments they received, the practices of
States, and ultimately decided against inclusion of a harm standard.
Instead, Members reported and passed legislation that has a black and
white standard for notification with a safe harbor for information
that is rendered unusable, unreadable, or indecipherable to
unauthorized individuals, and other specific exceptions. The primary
purpose for mandatory breach notification is to provide incentives for
health care entities to protect data, such as through strong
encryption or destruction methodologies and to allow individuals to
assess the level of unauthorized use or disclosure of their
information. Such transparency allows the consumer to judge the
quality of a health care entity's privacy protection based on how many
breaches occur, enabling them to choose entities with better privacy
practices. Furthermore, a black and white standard makes
implementation and enforcement simpler.

"We urge HHS to revise or repeal the harm standard provision included
in its interim final rule at the soonest appropriate opportunity. We
hope to work more closely with the agency on future privacy
regulations and request this letter be submitted as part of the
official comments (reference number RIN 0991-AB56). Thank you for your
ongoing commitment and attention to protecting American's health
information privacy."

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php